Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-10 14:13:58 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-16 08:28:01 +0200
commit4b4c106b8529b3d2cc847024376febe9a4e3c993 (patch)
tree6dca968be29abf6f6f3d8f06d5c2fa2dd5365509
parent7b0744f55906b5b52d3541b47ceaa2f2b596b995 (diff)
net: stmmac: fix memory corruption with large MTUs
(networking-stable-19_03_28).
-rw-r--r--patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch62
-rw-r--r--series.conf1
2 files changed, 63 insertions, 0 deletions
diff --git a/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch b/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
new file mode 100644
index 0000000000..7d35824b58
--- /dev/null
+++ b/patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
@@ -0,0 +1,62 @@
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Mon, 18 Mar 2019 23:36:08 +0200
+Subject: net: stmmac: fix memory corruption with large MTUs
+Git-commit: 223a960c01227e4dbcb6f9fa06b47d73bda21274
+Patch-mainline: v5.1-rc3
+References: networking-stable-19_03_28
+
+When using 16K DMA buffers and ring mode, the DES3 refill is not working
+correctly as the function is using a bogus pointer for checking the
+private data. As a result stale pointers will remain in the RX descriptor
+ring, so DMA will now likely overwrite/corrupt some already freed memory.
+
+As simple reproducer, just receive some UDP traffic:
+
+ # ifconfig eth0 down; ifconfig eth0 mtu 9000; ifconfig eth0 up
+ # iperf3 -c 192.168.253.40 -u -b 0 -R
+
+If you didn't crash by now check the RX descriptors to find non-contiguous
+RX buffers:
+
+ cat /sys/kernel/debug/stmmaceth/eth0/descriptors_status
+ [...]
+ 1 [0x2be5020]: 0xa3220321 0x9ffc1ffc 0x72d70082 0x130e207e
+ ^^^^^^^^^^^^^^^^^^^^^
+ 2 [0x2be5040]: 0xa3220321 0x9ffc1ffc 0x72998082 0x1311a07e
+ ^^^^^^^^^^^^^^^^^^^^^
+
+A simple ping test will now report bad data:
+
+ # ping -s 8200 192.168.253.40
+ PING 192.168.253.40 (192.168.253.40) 8200(8228) bytes of data.
+ 8208 bytes from 192.168.253.40: icmp_seq=1 ttl=64 time=1.00 ms
+ wrong data byte #8144 should be 0xd0 but was 0x88
+
+Fix the wrong pointer. Also we must refill DES3 only if the DMA buffer
+size is 16K.
+
+Fixes: 54139cf3bb33 ("net: stmmac: adding multiple buffers for rx")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Acked-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+@@ -114,10 +114,11 @@ static unsigned int stmmac_is_jumbo_frm(
+
+ static void stmmac_refill_desc3(void *priv_ptr, struct dma_desc *p)
+ {
+- struct stmmac_priv *priv = (struct stmmac_priv *)priv_ptr;
++ struct stmmac_rx_queue *rx_q = priv_ptr;
++ struct stmmac_priv *priv = rx_q->priv_data;
+
+ /* Fill DES3 in case of RING mode */
+- if (priv->dma_buf_sz >= BUF_SIZE_8KiB)
++ if (priv->dma_buf_sz == BUF_SIZE_16KiB)
+ p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB);
+ }
+
diff --git a/series.conf b/series.conf
index e88901ed9e..184c923f49 100644
--- a/series.conf
+++ b/series.conf
@@ -21586,6 +21586,7 @@
patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch
patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch
patches.drivers/mISDN-hfcpci-Test-both-vendor-device-ID-for-Digium-H.patch
+ patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch
patches.suse/net-packet-Set-__GFP_NOWARN-upon-allocation-in-alloc.patch
patches.fixes/0001-netfilter-bridge-set-skb-transport_header-before-ent.patch
patches.fixes/rhashtable-Still-do-rehash-when-we-get-EEXIST.patch